Skip to content

feat(golf): add JWT authentication and session reconnection#1119

Merged
aaylward merged 4 commits intomainfrom
feat/golf-jwt-reconnect
Mar 8, 2026
Merged

feat(golf): add JWT authentication and session reconnection#1119
aaylward merged 4 commits intomainfrom
feat/golf-jwt-reconnect

Conversation

@aaylward
Copy link
Copy Markdown
Collaborator

@aaylward aaylward commented Mar 8, 2026

Summary

  • Add JWT (HS256) authentication to golf WebSocket backend so player identity persists across connections
  • Players who disconnect (e.g. switching apps on mobile to share a link) can reconnect within a 5-minute grace period and resume their room/game with the same player ID
  • Manual JWT implementation using stdlib crypto/hmac + crypto/sha256 — no external dependencies
  • Validates alg header field to prevent algorithm confusion attacks

Details

  • auth.go: TokenManager for creating/validating JWTs with 24h TTL
  • golf_hub.go: Rewritten to require authentication before any game action; tracks disconnected sessions; handles reconnection by swapping client references
  • game.go: Added ReplaceClient for updating player's client ID on reconnect
  • types.go: Added PlayerSession, AuthenticatedMessage types

Test plan

  • TestHub_AuthenticationRequired — unauthenticated messages rejected
  • TestHub_AuthenticationFlow — new session creation works
  • TestHub_TokenReconnection — full reconnect flow with token
  • TestHub_AlgValidation — tampered tokens and wrong algorithms rejected
  • All existing hub and integration tests updated to authenticate first
  • bazel test //domains/games/apis/games_ws_backend/golf:golf_test passes

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages bot commented Mar 8, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 1d4-web 7011244 Commit Preview URL

Branch Preview URL		 Mar 08 2026, 08:40 PM

@aaylward aaylward mentioned this pull request Mar 8, 2026
Merged
3 tasks
@aaylward
feat(golf): add JWT authentication and session reconnection
aeb2802 
Decouple player identity from WebSocket connections so players can
reconnect after brief disconnections (e.g. switching apps on mobile
to share a link) and resume their room/game with the same player ID.

- Add manual JWT (HS256) token manager using stdlib crypto (no deps)
- Require authenticate message as first action after connecting
- Track disconnected sessions with 5-minute grace period
- Swap client references on reconnect without removing from game
- Add auth, reconnect, and algorithm validation tests
@aaylward aaylward force-pushed the feat/golf-jwt-reconnect branch from 44af9de to aeb2802 Compare March 8, 2026 20:23
aaylward added 3 commits March 8, 2026 16:31
@aaylward
go get jwt
60579cc
@aaylward
docs(games_ws_backend): rewrite READMEs to reflect current architecture
760d520 
Update all three READMEs to accurately document the hub interface,
JWT auth/reconnect flow, message protocol, and code layout. Remove
speculative roadmap checklists that belonged in issues, not docs.
@aaylward
docs(golf): note JWT secret restart limitation and future fix
7011244
@aaylward aaylward enabled auto-merge (squash) March 8, 2026 20:40
@aaylward aaylward disabled auto-merge March 8, 2026 20:45
@aaylward aaylward enabled auto-merge (squash) March 8, 2026 20:46
This was referenced Mar 8, 2026
Closed
Closed
@aaylward aaylward merged commit 4ebdebe into main Mar 8, 2026
16 of 17 checks passed
@aaylward aaylward deleted the feat/golf-jwt-reconnect branch March 8, 2026 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aaylward